z = xz
keys = \
	'E1F0 36B1 FEE7 221F C778  ECEF B0B5 E886 96AF E6CB'

upstream_archive = $(OPK_SOURCE)-$(OPK_SOURCE_VERSION_UPSTREAM).tar
upstream_url = https://www.kernel.org/pub/software/scm/git/$(upstream_archive)
source_archive = ../$(OPK_SOURCE)-$(OPK_SOURCE_VERSION_UPSTREAM).orig.tar.$(z)

GNUPGHOME = gnupghome
# TODO: When GnuPG is built with TLS support, delete the second "keyserver" line
# to switch to a non-SKS keyserver.  We can't switch yet, because the Web server
# at keys.openpgp.org redirects (HTTP 301) to HTTPS (and enforces it with HSTS).
keyserver = hkps://keys.openpgp.org
keyserver = hkp://pool.sks-keyservers.net
keyring = ../keyring.gpg
cleanup = gpgconf --kill all; rm -Rf '$(GNUPGHOME)'; sleep 5

$(keyring):
	gpg --recv-keys $(keys) || { rm -Rf '$@'; exit 1; }
	rm -f '$@~'

$(source_archive): $(keyring)
	wget -c '$(upstream_url).$(z)' '$(upstream_url).sign'
	unxz -c '$(upstream_archive).$(z)' 1>'$(upstream_archive)'
	gpg --verify '$(upstream_archive).sign'
	rm '$(upstream_archive)'
	mv '$(upstream_archive).$(z)' '$(source_archive)'

source:
	install -m 0700 -d '$(GNUPGHOME)'
	umask 0177; printf 'keyserver $(keyserver)\n' \
		1>'$(GNUPGHOME)/dirmngr.conf'
	umask 0177; printf 'no-default-keyring\nkeyring $(keyring)\nverbose\n' \
		1>'$(GNUPGHOME)/gpg.conf'
	GNUPGHOME='$(GNUPGHOME)' $(MAKE) -f ../source.mk '$(source_archive)' \
		|| { $(cleanup); exit 1; }
	$(cleanup)